This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, fifteen has been updated via 3a3759c625c593e70a7bea479c11834152681565 (commit) via 8a2cf24a1f5de1e236d5514863b1f57cdd343f27 (commit) from 342a91ae257e461d3d0fe3a2da51a724c6f99a20 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 3a3759c625c593e70a7bea479c11834152681565 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Dec 8 16:07:35 2013 +0100
mountkernfs: fix mount of /sys and /proc without initrd.
commit 8a2cf24a1f5de1e236d5514863b1f57cdd343f27 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Dec 8 16:03:25 2013 +0100
kernel: enable grsecurity on rpi kernel.
-----------------------------------------------------------------------
Summary of changes: config/kernel/kernel.config.armv5tel-ipfire-rpi | 165 ++++++++++++++++++++++-- lfs/linux | 8 +- src/initscripts/init.d/mountkernfs | 4 +- 3 files changed, 162 insertions(+), 15 deletions(-)
Difference in files: diff --git a/config/kernel/kernel.config.armv5tel-ipfire-rpi b/config/kernel/kernel.config.armv5tel-ipfire-rpi index d343a9d..3f6c8da 100644 --- a/config/kernel/kernel.config.armv5tel-ipfire-rpi +++ b/config/kernel/kernel.config.armv5tel-ipfire-rpi @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 3.10.11 Kernel Configuration +# Linux/arm 3.10.22 Kernel Configuration # CONFIG_ARM=y CONFIG_SYS_SUPPORTS_APM_EMULATION=y @@ -94,7 +94,6 @@ CONFIG_TINY_RCU=y # CONFIG_IKCONFIG is not set CONFIG_LOG_BUF_SHIFT=19 # CONFIG_CGROUPS is not set -# CONFIG_CHECKPOINT_RESTORE is not set CONFIG_NAMESPACES=y CONFIG_UTS_NS=y CONFIG_IPC_NS=y @@ -187,6 +186,7 @@ CONFIG_MODULE_FORCE_UNLOAD=y # CONFIG_MODVERSIONS is not set # CONFIG_MODULE_SRCVERSION_ALL is not set # CONFIG_MODULE_SIG is not set +CONFIG_STOP_MACHINE=y CONFIG_BLOCK=y CONFIG_LBDAF=y CONFIG_BLK_DEV_BSG=y @@ -305,7 +305,6 @@ CONFIG_CPU_TLB_V6=y CONFIG_CPU_HAS_ASID=y CONFIG_CPU_CP15=y CONFIG_CPU_CP15_MMU=y -CONFIG_CPU_USE_DOMAINS=y
# # Processor Features @@ -370,7 +369,6 @@ CONFIG_CLEANCACHE=y CONFIG_FRONTSWAP=y CONFIG_FORCE_MAX_ZONEORDER=11 CONFIG_ALIGNMENT_TRAP=y -# CONFIG_UACCESS_WITH_MEMCPY is not set CONFIG_SECCOMP=y CONFIG_CC_STACKPROTECTOR=y
@@ -825,7 +823,6 @@ CONFIG_L2TP_IP=m CONFIG_L2TP_ETH=m CONFIG_STP=m CONFIG_GARP=m -CONFIG_MRP=m CONFIG_BRIDGE=m CONFIG_BRIDGE_IGMP_SNOOPING=y CONFIG_BRIDGE_VLAN_FILTERING=y @@ -1012,7 +1009,8 @@ CONFIG_HAVE_BPF_JIT=y # Generic Driver Options # CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" -# CONFIG_DEVTMPFS is not set +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y # CONFIG_STANDALONE is not set # CONFIG_PREVENT_FIRMWARE_BUILD is not set CONFIG_FW_LOADER=y @@ -3766,7 +3764,6 @@ CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1" # CONFIG_PROC_FS=y CONFIG_PROC_SYSCTL=y -CONFIG_PROC_PAGE_MONITOR=y CONFIG_SYSFS=y CONFIG_TMPFS=y CONFIG_TMPFS_POSIX_ACL=y @@ -3977,7 +3974,6 @@ CONFIG_FRAME_POINTER=y # CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set # CONFIG_NOTIFIER_ERROR_INJECTION is not set # CONFIG_FAULT_INJECTION is not set -# CONFIG_LATENCYTOP is not set # CONFIG_DEBUG_PAGEALLOC is not set CONFIG_HAVE_FUNCTION_TRACER=y CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y @@ -4014,6 +4010,158 @@ CONFIG_EARLY_PRINTK=y # # Security options # + +# +# Grsecurity +# +CONFIG_PAX_USERCOPY_SLABS=y +CONFIG_GRKERNSEC=y +# CONFIG_GRKERNSEC_CONFIG_AUTO is not set +CONFIG_GRKERNSEC_CONFIG_CUSTOM=y + +# +# Customize Configuration +# + +# +# PaX +# +CONFIG_PAX=y + +# +# PaX Control +# +# CONFIG_PAX_SOFTMODE is not set +CONFIG_PAX_EI_PAX=y +CONFIG_PAX_PT_PAX_FLAGS=y +# CONFIG_PAX_XATTR_PAX_FLAGS is not set +# CONFIG_PAX_NO_ACL_FLAGS is not set +CONFIG_PAX_HAVE_ACL_FLAGS=y +# CONFIG_PAX_HOOK_ACL_FLAGS is not set + +# +# Non-executable pages +# +CONFIG_PAX_NOEXEC=y +CONFIG_PAX_PAGEEXEC=y +CONFIG_PAX_MPROTECT=y +# CONFIG_PAX_MPROTECT_COMPAT is not set +CONFIG_PAX_ELFRELOCS=y +# CONFIG_PAX_KERNEXEC is not set +CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" + +# +# Address Space Layout Randomization +# +CONFIG_PAX_ASLR=y +CONFIG_PAX_RANDUSTACK=y +CONFIG_PAX_RANDMMAP=y + +# +# Miscellaneous hardening features +# +CONFIG_PAX_MEMORY_SANITIZE=y +CONFIG_PAX_MEMORY_STRUCTLEAK=y +CONFIG_PAX_MEMORY_UDEREF=y +CONFIG_PAX_REFCOUNT=y +CONFIG_PAX_USERCOPY=y +# CONFIG_PAX_LATENT_ENTROPY is not set + +# +# Memory Protections +# +# CONFIG_GRKERNSEC_KMEM is not set +CONFIG_GRKERNSEC_JIT_HARDEN=y +# CONFIG_GRKERNSEC_PERF_HARDEN is not set +CONFIG_GRKERNSEC_RAND_THREADSTACK=y +CONFIG_GRKERNSEC_PROC_MEMMAP=y +CONFIG_GRKERNSEC_BRUTE=y +CONFIG_GRKERNSEC_MODHARDEN=y +CONFIG_GRKERNSEC_HIDESYM=y +CONFIG_GRKERNSEC_KERN_LOCKOUT=y + +# +# Role Based Access Control Options +# +CONFIG_GRKERNSEC_NO_RBAC=y +# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set +CONFIG_GRKERNSEC_ACL_MAXTRIES=3 +CONFIG_GRKERNSEC_ACL_TIMEOUT=30 + +# +# Filesystem Protections +# +# CONFIG_GRKERNSEC_PROC is not set +CONFIG_GRKERNSEC_LINK=y +# CONFIG_GRKERNSEC_SYMLINKOWN is not set +CONFIG_GRKERNSEC_FIFO=y +# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set +# CONFIG_GRKERNSEC_ROFS is not set +CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y +CONFIG_GRKERNSEC_CHROOT=y +# CONFIG_GRKERNSEC_CHROOT_MOUNT is not set +CONFIG_GRKERNSEC_CHROOT_DOUBLE=y +CONFIG_GRKERNSEC_CHROOT_PIVOT=y +CONFIG_GRKERNSEC_CHROOT_CHDIR=y +# CONFIG_GRKERNSEC_CHROOT_CHMOD is not set +CONFIG_GRKERNSEC_CHROOT_FCHDIR=y +# CONFIG_GRKERNSEC_CHROOT_MKNOD is not set +CONFIG_GRKERNSEC_CHROOT_SHMAT=y +CONFIG_GRKERNSEC_CHROOT_UNIX=y +CONFIG_GRKERNSEC_CHROOT_FINDTASK=y +CONFIG_GRKERNSEC_CHROOT_NICE=y +CONFIG_GRKERNSEC_CHROOT_SYSCTL=y +# CONFIG_GRKERNSEC_CHROOT_CAPS is not set +CONFIG_GRKERNSEC_CHROOT_INITRD=y + +# +# Kernel Auditing +# +# CONFIG_GRKERNSEC_AUDIT_GROUP is not set +# CONFIG_GRKERNSEC_EXECLOG is not set +CONFIG_GRKERNSEC_RESLOG=y +# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set +# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set +# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set +# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set +CONFIG_GRKERNSEC_SIGNAL=y +CONFIG_GRKERNSEC_FORKFAIL=y +# CONFIG_GRKERNSEC_TIME is not set +CONFIG_GRKERNSEC_PROC_IPADDR=y +# CONFIG_GRKERNSEC_RWXMAP_LOG is not set + +# +# Executable Protections +# +CONFIG_GRKERNSEC_DMESG=y +CONFIG_GRKERNSEC_HARDEN_PTRACE=y +CONFIG_GRKERNSEC_PTRACE_READEXEC=y +CONFIG_GRKERNSEC_SETXID=y +# CONFIG_GRKERNSEC_TPE is not set + +# +# Network Protections +# +CONFIG_GRKERNSEC_RANDNET=y +CONFIG_GRKERNSEC_BLACKHOLE=y +CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y +# CONFIG_GRKERNSEC_SOCKET is not set + +# +# Physical Protections +# +# CONFIG_GRKERNSEC_DENYUSB is not set + +# +# Sysctl Support +# +# CONFIG_GRKERNSEC_SYSCTL is not set + +# +# Logging Options +# +CONFIG_GRKERNSEC_FLOODTIME=10 +CONFIG_GRKERNSEC_FLOODBURST=6 CONFIG_KEYS=y # CONFIG_ENCRYPTED_KEYS is not set CONFIG_KEYS_DEBUG_PROC_KEYS=y @@ -4027,7 +4175,6 @@ CONFIG_SECURITY_NETWORK_XFRM=y # CONFIG_SECURITY_SMACK is not set # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set -# CONFIG_SECURITY_YAMA is not set # CONFIG_IMA is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y diff --git a/lfs/linux b/lfs/linux index b35813a..1a9f770 100644 --- a/lfs/linux +++ b/lfs/linux @@ -26,7 +26,7 @@ include Config
VER = 3.10.22
-RPI_PATCHES = linux-3.10.10-c1af7c6 +RPI_PATCHES = linux-3.10.10-grsec-c1af7c6 GRS_PATCHES = grsecurity-2.9.1-3.10.22-ipfire1.patch.xz
THISAPP = linux-$(VER) @@ -75,7 +75,7 @@ rpi-patches-$(RPI_PATCHES).patch.xz = $(URL_IPFIRE)/rpi-patches-$(RPI_PATCHES).p $(GRS_PATCHES) = $(URL_IPFIRE)/$(GRS_PATCHES)
$(DL_FILE)_MD5 = d2b030e809d0f03d2d6ddfcc5108d641 -rpi-patches-$(RPI_PATCHES).patch.xz_MD5 = ef9274b3ff5d05daaaa4bdbe86ad00fc +rpi-patches-$(RPI_PATCHES).patch.xz_MD5 = f55981853573236069db5ad9fb7a4bd9 $(GRS_PATCHES)_MD5 = 2fe9cf094b9069918f66b2b1895431eb
install : $(TARGET) @@ -122,11 +122,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Grsecurity-patches ifneq "$(KCFG)" "-headers" -ifneq "$(KCFG)" "-rpi" +#ifneq "$(KCFG)" "-rpi" cd $(DIR_APP) && xz -c -d $(DIR_DL)/$(GRS_PATCHES) | patch -Np1 cd $(DIR_APP) && rm localversion-grsec cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.7-disable-compat_vdso.patch -endif +#endif endif
# Disable pcspeaker autoload diff --git a/src/initscripts/init.d/mountkernfs b/src/initscripts/init.d/mountkernfs index 1e5be05..9cbceb4 100644 --- a/src/initscripts/init.d/mountkernfs +++ b/src/initscripts/init.d/mountkernfs @@ -21,12 +21,12 @@ case "${1}" in
if ! mountpoint /proc &> /dev/null; then boot_mesg -n " /proc" ${NORMAL} - mount -n /proc || failed=1 + mount -n -t proc /proc /proc || failed=1 fi
if ! mountpoint /sys &> /dev/null; then boot_mesg -n " /sys" ${NORMAL} - mount -n /sys || failed=1 + mount -n -t sysfs /sys /sys || failed=1 fi
boot_mesg "" ${NORMAL}
hooks/post-receive -- IPFire 2.x development tree